In this series, I will outline my views about the disadvantages of Google's Chromebook, a netbook running Chrome OS. Part 1 discusses security.
Latest posts by Michael Pietroforte (see all)
Contents of this article

A few days ago, Google announced Chromebooks, "a new kind of computer," as the Google Chrome blog was titled. I watched the Day 2 video of the keynote speech for the Google I/O developer conference, and I read several comments on the web. I often found myself shaking my head. This five-part series covers eight of the causes that made my head shake: security, accessibility and ability, updates and backup, usability and cloudability.

I must add a disclaimer before I start. After reading this, you might conclude that this is just another one of my Microsoft fan boy posts. The truth is that I am also a Google fan boy. Not only is the Google search engine much better than Bing, they also have the better web browser. And I couldn't live without many of Google's great web applications. Although I had quite a few issues with Android, I believe it is the best mobile OS out there. I want you to keep this in mind when reading the following rant against Chromebooks.

1. Security ^

My neck still hurts from shaking my head too intensely when Sundar Pichai (senior vice president of Chrome) brought up the security argument against Windows. Frankly, this is plain FUD. It is true that you won't need antivirus software for Chromebooks. But the only reason for this is that their market share will be even lower than for other Linux netbooks. Thus virus writers have no reason to specifically target the underlying Linux of Chrome OS. They can just rely on the inherently low security of the Open Web. However, if Chromebooks ever reaches a significant market share (which I doubt), then virus writers will target Chrome OS in exactly the same way as they do today with Windows. Rest assured that you will then have to install antivirus software on Chromebooks.

Besides, when it comes to security, conventional viruses only play a minor role nowadays. You don't have to be a security expert to know that the bad guys have shifted their attention from Windows to the Open Web years ago. Hacking a popular website and infecting it with malware, or creating a new website and then pushing it to the top in Google for popular search terms, is certainly much more effective than writing a Windows virus, considering that Microsoft raised the security level a few bars with Windows Vista and again with Windows 7. Funny thing is that Google Chrome is the most vulnerable application out there. It is no coincidence that almost all of the top 15 most vulnerable applications are related to the web.

Yes, Google invested a lot in Chromium's security. But if you take a closer look at the security measures, you will notice that Chrome OS faces the same security issues as any other operating system. Google wants us to believe that a Chromebook is a new kind of computer that didn't inherit the legacy problems of operating systems created decades ago. The truth is that Chrome OS is simply a Linux distribution that can only run one conventional application. This application happens to be the most vulnerable program facing the Open Web, which is the most insecure place in cyberspace.

It is a nightmare for any admin if users can run any kind of application on the Open Web, exposing the whole company network with their Chromebooks. Traditionally, firewalls and other security mechanisms shielded the corporate network from the dangerous Internet. How can you shield Chromebooks? As soon as all your data and applications are in the Open Web, your firewall has become obsolete. This means the bad guys can access your data anytime and from anywhere. Unlike business travelers, hackers around the planet always have high-speed Internet access. So, for them, the "high accessibility" of your organization's data has a completely different meaning. Moving your complete corporate network to the Open Web increases the attack surface of your organization's IT to the size of the whole Internet.

And what about the cloud providers? Do you really trust all Google's employees and those of other cloud providers 100%, considering that you've never met even one of their admins in person? Everyone who has physical access to your data and applications has a range of new ways to do bad things to your organization's most valuable assets.

Of course, these objections against cloud security are not new and are debated heavily on the web. But to tout Chromebooks as more secure, just because their insignificant market share in the foreseeable future makes antivirus software obsolete, is either barefaced or naïve.

Subscribe to 4sysops newsletter!

In my next post, I will compare the accessibility and the ability of Chrome OS and Windows applications.

0
6 Comments
  1. Stefan 10 years ago

    Some remarks to this security review (although its more a pleading for the traditional way laptop):

    - the number of security flaws is not a good measurement for security. More important is amount of time security flaws are exploitable and how easy that can be done.

    One example:

    Software A has 50 flaws which are fixed at an average of 5 days.
    Software B has 25 flaws fixed at an average of 15 days.

    You can say: A is twice as insecure as B, but that would be unfair.
    Running software B will leave a flaw to exploit open every day of the year. Whereas B is only exploiteable for 8 mounths (plus some days over a week). And malware-writers are having more time to write exploits. Not to mention that postponed/ignorred updates (by users) will worsen the situation, this is the reason why chrome updates automatically and not on a fixed patch-day.

    Additionally closed-source vendors can fix security flaws quietly if they discover it before others.

    So its not that simple as it seems.

    - Firewalls aren't helping applications running on desktop-computers (unless they act as services) because they doesn't work on the application-level. Cromebooks are not part of the internet, they connect to local (wireless) networks which are protected by gateway-firewalls. So nothing new with cromebooks here.

    - the paragraph about cloud-computing-concerns is a general problem and not chromebook/google specific. Can you trust Google/Microsoft/Amazon? If not, encrypt all your data or host all services. Host all your services on your own: Mailserver, Calendar and stick to the traditional way.
    But i guess most end-users will trade all the complexity, backup, usability, compatibility and sync-problems for a simple and working solutions like this.

    0

  2. Stefan, I agree that measuring security is difficult and the number of security holes alone is not sufficient for a comparison. However, these data definitely indicates that Chrome and Chrome OS are not as secure as Google claims.

    As for firewalls, I think you missed the point of my argument. Applications for Chromebooks are hosted in the cloud. That is the whole point about Chrome OS, right? These application are coming from outside the perimeter network which means that organizations have no control over their security. This is not just about Google's own apps or other major cloud provider. Google wants a paradigm shift where all applications come from the Internet. The more such applications are available on the Open Web the more dangerous it becomes for organizations because users can launch any application they want.

    Traditionally, the corporate firewall prevents users from downloading Windows programs and admins can ensure that only applications that are approved can be launched by users. In a world where all applications come from the Open Web things are fundamentally different and significantly less secure.

    Also, it is good news that Angry Birds now also runs in Chrome for all friends of computer games. But is this also good news for businesses if users can now play all kinds of games on the Open Web during work time?

    And you are right, this is also about cloud computing in general. But the point is that Chromebooks can only be used for cloud computing. And with all these unsolved security issues it is just dishonest of Google to tout Chromebooks as more secure simply because Windows viruses won't run on them.

    0

  3. Stefan 10 years ago

    Games are preinstalled on all major end-user OS, why is that a chromebook problem?! I never heard someone saying that because of the presence of solitaire on Windows its not useable for businesses.

    Firewalls cannot prevents users from downloading Windows programs. Even if ftp and http-downloads are blocked switch to SSL-encryption and you're done.

    Firewalls work on the network-level not on the application level! A Firewall is not a proxy or content-filtering systems which works like a proxy.

    Believing that companies are whitelisting every single piece of software on all computers is just wishful thinking. Who can afford the it-staff needed for that task? Maybe some high-security organizations but not the average business.

    0

  4. Stefan, in a business environment Windows is usually deployed without games. If it were not possible to remove the games, it would be indeed a serious problem for businesses.

    Firewalls certainly can prevent users from downloading executables even if SSL is used. GFI WebMonitor is an example. And of course, firewalls can work at the application level. That is why these kind of firewalls are called application layer firewalls.

    White listening applications is indeed recommended for organizations who value security. With AppLocker Windows is very well equipped here.

    0

  5. Stefan 10 years ago

    Well Firewalls which exchange SSL-Certificates with their own breaks the end-to-end-security SSL provides. And all that application-layer-stuff marketing sell us - isn't worth the money (this site is for sysops and not for management right?).

    Aditionally all the fancy content-mangling and scanning makes the firewall-computer less secure by adding vunerabilities from the firewall-product to the already exposed host.
    Trying to solve all end-computer problems on a gateway is old-school-thinking. Usually some fancy firewall is bought and the internal network get less(er) attention. A better approach is to assume that the firewall is more or less easy to penetrate and to secure every system on the system as if it were directly reachable in the internet.

    Why are we debating about firewall? Ah, right, Chromebooks communicates through the gateway-firewall to the internet. As long as this traffic is encrypted and googles datacenters are secure its the same as working via vpn as road-warrior (i cannot image one sysop without vpn-access). Usually datacenter are more secure than the usual (business) server-room.

    +1

  6. Anonymous 6 years ago

    This article is extremely biased against Chromebooks. It does not look at the other side of Chromebook security.

    +1

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account